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Abstract. We consider the problem of existential quantifier elimination 
for Boolean formulas in Conjunctive Normal Form (CNF). We present a 
new method for solving this problem called Derivation of Dependency- 
Sequents (DDS). A Dependency-sequent (D-sequent) is used to record 
that a set of quantified variables is redundant under a partial assign- 
ment. We introduce a resolution-like operation called join that produces 
a new D-sequent from two existing D-sequents. We also show that DDS is 
compositional, e.g., if our input formula is a conjunction of independent 
formulas, DDS automatically recognizes and exploits this information. 
We introduce an algorithm based on DDS and present experimental re- 
sults demonstrating its potential. 

1 Introduction 

In this paper, we consider the problem of eliminating existential quantifiers from 
Boolean CNF formulas. In the sequel, we omit the word "existential." Given 
a Boolean CNF formula ELX^-F], the problem is to find a quantifier-free CNF 
formula G such that G = 3X[F\. We assume that the set of non-quantified 
variables Vars(F) \ X is, in general, not empty. (Vars(F) is the set of variables 
of F) . So G specifies a Boolean function depending on non-quantified variables of 
F. We refer to this problem as the QE problem, where QE stands for Quantifier 
Elimination. 

Our interest in the QE problem is twofold. First, the QE problem occurs in 
numerous areas of hardware/software design and verification, e.g., in symbolic 
model checking 10 19 when computing reachable states. Second, one can argue 
that progress in solving the QE problem should have a deep impact on SAT- 
solving [T3]. In particular, as McMillan pointed out, even the basic operation of 
resolution is related to the QE problem [IB]. The resolvent C of clauses C ,C" 
on a variable v is obtained by eliminating the quantifier from 3v[C A C"\. 

The success of resolution-based SAT-solvers |2QI21j has led to the hunt for 
efficient SAT-based algorithms for the QE problem [18 15|7|12) . In this paper, 
we continue in this direction by introducing a resolution-based QE algorithm. 
Our approach is based on the following observation. The QE problem is trivial 
if F does not depend on variables of A". In this case, dropping the quantifiers 
from BA^i* 1 ] does not affect the meaning of the formula. If F depends on X, 
after adding to F a set of clauses implied by F, the variables of X may become 
redundant. If this happens, all the clauses of F depending on X can be dropped 
and the resulting formula G is equivalent to the original formula 3X[.F]. The 
problem is that one needs to know when the variables of X become redundant. 



Unfortunately, resolution is deficient in expressing redundancy of variables. 
Let Y denote the set of non-quantified variables in 3-X"[F] i.e. Y = Vars(F) \ X. 
Let y be a complete assignment for Y and F y denote F under assignment y. Then 
a clause C falsified by y can be derived by resolving clauses of F. After adding 
C to F, the variables of X are redundant in 3X[F y ]. In this case, resolution 
works. Assume, however, that F y is satisfiable. Then, the variables of X are also 
redundant in BXfi 7 ^] because F y remains satisfiable after removing any clauses. 
But a resolution derivation cannot express this fact because no clause falsified 
by y is implied by F. 

To address the problem above, we introduce the notion of Dependency se- 
quents (D-sequents). A D-sequent has the form (3X[F],q) — > Z where q is a 
partial assignment to variables of F and Z C X. This D-sequent states that in 
the subspace specified by q, the variables of Z are redundant in 3X[F}. That 
is in this subspace, the clauses containing variables of Z can be removed from 
F without changing the meaning of 3X[_F]. In particular, if the formula F y is 
satisfiable, the D-sequent (3X[F},y) — > X holds. 

In this paper, we introduce a QE algorithm called DDS (Derivation of D- 
Sequents). In DDS, adding resolvent clauses to F is accompanied by computing 
D-sequents. The latter are used to precisely identify the moment when the vari- 
ables of X are redundant. It occurs when the D-sequent (3X[_F],0) — > X is 
derived stating unconditional redundancy of X. Then, a solution G to the QE 
problem is obtained from F by dropping the clauses containing variables of X . 

DDS produces new D-sequents from existing ones by operation join. Let 
(3X [F], q±) — > Z and {3X[F],q-2) — > Z be D-sequents where q\ and q? have op- 
posite assignments to exactly one variable v. Then a new D-sequent (3A[F] , q)— > Z 
can be obtained by joining the D-sequents above, where q contains all assign- 
ments of Qi and q 2 but those to v. 

In this paper, we compare DDS with its counterparts both theoretically and 
experimentally. In particular, we show that DDS is compositional while algo- 
rithms based on enumeration of satisfying assignments [1811611217] are not. Com- 
positionality here means that given formula 3X[Fi A • • • A Fk] where formulas Fi 
depend on non-overlapping sets of variables, DDS breaks the QE problem into 
k independent subproblems. DDS is a branching algorithm and yet it remains 
compositional no matter how branching variables are chosen. Compositionality 
of DDS means that its performance can be exponentially better than that of 
enumeration-based QE algorithms. Since DDS is a branching algorithm it can 
process variables of different branches in different orders. This gives DDS a big 
edge over QE algorithms that eliminate quantified variables one by one using a 
global order |15ll3j . 

D-sequents are tightly related to boundary points [14] . A boundary point 
is a complete assignment to variables of F with certain properties. To make 
variables of Z C X redundant in 3A[F], one needs to eliminate a particular 
set of boundary points. This elimination is performed by adding to F resolvent 
clauses that do not depend on variables of Z. DDS does not compute boundary 
points explicitly. We introduce them solely to explain the semantics of DDS . 

The contribution of this paper is as follows. First, we relate the notion of 
variable redundancy with the elimination of boundary points. Second, we intro- 



duce the notion of D-sequents and the operation of joining D-sequents. Third, 
we introduce DDS, a QE algorithm; we prove its correctness and evaluate it 
experimentally. Fourth, we show that DDS is compositional. 

This paper is structured as follows. In Section [2l we relate the notions of 
variable redundancy and boundary points. Section |3] explains the strategy of 
DDS in terms of boundary point elimination. D-sequents are introduced in Sec- 
tion^ Sections [5] and [6]describe DDS and discuss its compositionality. Section[7] 
gives experimental results. Background is discussed in Section[HJ and conclusions 
are presented in Section [9j In the appendix, we describe some details of the im- 
plementation of DDS we used in experiments and give proofs of propositions. 

2 Redundant Variables, Boundary Points and Quantifier 
Elimination 

The main objective of this section is to introduce the notion of redundant vari- 
ables (Definition [5]) and to relate it to the elimination of removable boundary 
points (Proposition [2]) . 

2.1 Redundant Variables and Quantifier Elimination 

In this paper, we consider a quantified CNF formula 3X[F] where X C Vars(F) 
We will refer to such formulas as 3CNF. Let q be an assignment, F be a 
CNF formula, and C be a clause. Vars(q) denotes the variables assigned in q; 
Vars(F) denotes the set of variables of F; Vars(C) denotes the variables of C; 
and Vars(3X[F}) = Vars{F) \ X. 

Definition 1. Let C be a clause, F be a CNF formula, and p be an assignment 
such that Vars{p) C Vars(F). C p is true if C is satisfied by p; otherwise it 
is the clause obtained from C by removing all literals falsified by p. F p denotes 
the CNF formula obtained from F by replacing every clause C with C p and then 
removing all the clauses that are true (i.e. satisfied byp). If Vars(F) C Vars(p), 
then F p is semantically equivalent to a constant, and in the sequel, we will make 
use of this without explicit mention. 

Definition 2. Let 3X[F] be an BCNFformula and p be an assignment such 
that Vars(p) C Vars(3X[F}). Denote by (3X[F]) p the 3CNF formula 3X[F p \. 
If Vars(3X[F}) C Vars{p), Vars{p) nl = J, then (3X[F]) p is semantically 
equivalent to a constant, and in the sequel, we will make use of this without 
explicit mention. 

Definition 3. The Quantifier Elimination (QE) problem for 3CNF formula 
3X[F] consists of finding a CNF formula G such that G = 3X[_F]. This equiva- 
lence means that G p = (3X[F]) p holds for every complete assignment p to the 
variables of Vars(G) U Vars(3X[F]). 

Definition 4. A clause C of F is called a Z-clause if Vars(C) n Z ^ 0. 
Denote by F z the set of all Z -clauses of F. 



Definition 5. The variables of Z are redundant in CNF formula F if F = 
(F\F Z ). The variables of Z are redundant in 3CNF formula 3X[F] if3X[F] 

X I F z \. We note that since F\ F z does not contain any Z variables, we 
could have written 3(X \ Z)[F \ F z \. To simplify notation, we avoid explicitly 
using this optimization in the rest of the paper. 

2.2 Redundant Variables and Boundary Points 

Definition 6. Given assignment p and a formula F, we say that p is an F- 
point (or a point of F) if Vars (F) C Vars (p) . 

In the sequel, by "assignment" we mean a possibly partial one. To refer to a 
complete assignment we will use term "point" . 

Definition 7. A point p of CNF formula F is called a Z -boundary point of 

F if a) Z ^ 0, b) F p = false; c) every clause of F falsified by p is a Z-clause; 
d) the previous condition breaks for every proper subset of Z . 

Suppose that p is a Z-boundary point of F and F is satisfiable. If only Z 
variables can be flipped in p, then it is at least \Z\ flips away from a satisfying 
assignment, hence the name "boundary." 

Definition 8. Given a CNF formula F and a Z-boundary point, p, of F: 

• p is X -removable in F if 1) Z C X C Vars(F); and 2) there is a clause C 
such that a) F C; b) C p = false; and c) Vars(C) H X = 0. 

• p is removable in 3X[F] if p is X -removable in F . 

In the above definition, notice that p is not a Z-boundary point of F A C 
because p falsifies C and Vars(C) (1 Z = 0. 

Proposition 1. A Z-boundary point p of F is removable in 3X[F], iff one 
cannot turn p into an assignment satisfying F by changing only the values of 
variables of X . 

The proofs are given in Appendix. 

Proposition 2. The variables of Z C X are not redundant in 3X[F] iff there 
is an X -removable W -boundary point of F, W C Z. 

Proposition [2] justifies the following strategy of solving the QE problem. Add 
to F a set G of clauses that a) are implied by F; b) eliminate all Z-removable 
boundary points for all Z C X. By dropping all A-clauses of F, one produces a 
solution to the QE problem. 

3 Boundary Points And Divide- And-Conquer Strategy 

In this section, we provide the semantics of the QE algorithm DDS described 
m Section [SJ DDS is a branching algorithm. Given an 3CNF formula 3A"[F], 
it branches on variables of F until proving redundancy of variables of X in 



the current subspace becomes trivial. Then DDS merges the results obtained 
in different branches to prove that the variables of X are redundant in the 
entire search space. Below we give propositions justifying the divide-and-conquer 
strategy of DDS. 

Proposition [3] shows how to perform elimination of removable boundary 
points of F in the subspace specified by assignment q. This is done by using 
formula F q , a "local version" of F. Proposition [4] justifies proving redundancy 
of variables of X in F q one by one. Finally, Subsection 3.2 describes two cases 
where proving variable redundancy is trivial. 



3.1 Decomposing the Problem of Boundary Point Elimination 

Definition 9. Let q± and q% be assignments. The expression qi < q 2 denotes 
the fact that Vars(q±) C Vars{qi) and each variable of Vars(q±) has the same 
value in q 1 and q 2 ■ 

Proposition 3. Let 3X[F] be an 3CNF formula and q be an assignment to 
Vars(F). Let p be a Z -boundary point of F where q < p and Z C X . Then if p 
is removable in 3X[F] it is also removable in 3X[F q ]. 

Remark 1. Proposition [3] is not true in the opposite direction. That is, a bound- 
ary point may be JT-removable in F q and not X-removable in F. For instance, if 
X = Vars(F), a Z-boundary point p of F is removable in 3J S T[F] for any Z C X 
only by adding an empty clause to F. So if F is satisfiable, p is not removable 
in 3X[,F]. Yet p may be removable in 3X[F q ] if F q is unsatisfiable. 

Definition 10. Let3X[F] be an 3CNF formula, q be an assignment to Vars(F), 
and Z C (X \ Vars(q)). Variables of Z are called virtually redundant in 
3X[F q ] if3X[F q \ [F q ) z ] = (3X[F]) r where r < q and Vars{r) = Vars(q) \ X. 

Remark 2. Redundancy of variables of Z in 3X[.Fg] in terms of Definition [5] is a 
special case of virtual redundancy. To prove variables of Z redundant in 3X [F] 
in subspace q, it is sufficient to show virtual redundancy of Z in 3X[F q ). The 
reason is that one can ignore Z-boundary points that are removable in 3X[F q ] 
and not removable in We introduce a new notion of redundancy of vari- 

ables Z in F q because the operation of joining D-sequents preserves only virtual 



redundancy of Z (Subsection 4.2 ). In the sequel, when we say that variables of Z 



are redundant in 3X[F Q ] we mean that they are at least virtually redundant. 

Proposition 4. Let 3X[F] be a CNF formula and q be an assignment to vari- 
ables of F . Let the variables of Z be redundant in 3X[F q \ where Z C (X \ 
Vars(q)). Let a variable v of X\( Vars(q) U Z) be redundant in 3X[F q \ (F q ) z ]. 
Then the variables of Z U {v} are redundant in 3X[F q ]. 

Proposition [4] shows that one can make variables of X \ Vars(q) redundant 
incrementally, if every {u}-clause is removed from F q as soon as variable v is 
proved redundant. 



3.2 Two Trivial Cases of Variable Redundancy 



Definition 11. Let C and C" be clauses having opposite literals of exactly one 
variable v € Vars(C) n Vars(C"). The clause C consisting of all literals of C 
and C" but those of v is called the resolvent of C ,C" on v. Clause C is said 
to be obtained by resolution on v. Clauses C ,C 1 are called resolvable on v. 

Definition 12. A variable x of a CNF formula F is called blocked if no two 

clauses of F are resolvable on x. A monotone variable x (literals of only one 
polarity of x are present in F) is a special case of a blocked variable. 

The notion of blocked variables is related to that of blocked clauses intro- 
duced in [T7j (not to confuse with blocking clauses [IB])- A clause C of F is 
blocked with respect to x if no clause C of F is resolvable with C on x. Variable 
x is blocked in F if every {x}-clause of F is blocked with respect to x. 

Proposition 5. Let 3X[F] be an 3CNF formula and q be an assignment to 
Vars(F). Let a variable v of X \ Vars(q) be blocked in F q . Then v is redundant 
in3X[F q ]. 

Proposition 6. Let 3X[F] be an 3CNF formula and q be an assignment to 
Vars(F). Let F q have an empty clause. Then the variables of X \ Vars(q) are 
redundant in 3X[F q ]. 

4 Dependency Sequents (D-sequents) 

In this section, we define D-sequents and introduce the operation of joining D- 
sequents. 

4.1 Definition of D-sequents 

Definition 13. Let 3X[F] be an 3CNF formula. Let q be an assignment to 
Vars(F) and Z be a subset of X\ Vars{q). A dependency sequent (D- sequent) 
has the form {3X[F\, q) — ¥ Z. It states that the variables of Z are redundant in 
3X[F q ]. 

Example 1. Consider an 3CNF formula 3X[F] where F — C\ A C 2 , C\ — x V y% 
and C*2 = x V y<x and X — {x}. Let q—{{yi — 1)}- Then F q = C% because C\ 
is satisfied. Notice that x is monotone and so redundant in F q (Proposition [s]). 
Hence, the D-sequent (3X[F],q) — > {x} holds. 

According to Definition [l3j a D-sequent holds with respect to a particular 
3CNF formula Proposition [7] shows that this D-sequent also holds after 

adding to F resolvent clauses. 

Proposition 7. Let 3X[F] be an 3CNF formula. Let H — F A G where F 
implies G. Let q be an assignment to Vars(F). Then if (3X[F],q) — s- Z holds, 
the D-sequent (3X[H],q) — > Z does too. 



4.2 Join Operation for D-sequents 



In this subsection, we introduce the operation of joining D-sequents. The join 
operation produces a new D-sequent from two D-sequents derived earlier. The 
semantics of this operation in terms of elimination of boundary points is quite 
simple. Let A\ and Ai be subspaces from which all removable boundary points 
of F relevant to redundancy of Z C X in 3A[.F] have been eliminated. The join 
operation produces a new such subspace A where A C A\ U A^. We start with 
introducing resolution of assignments that is similar to that of clauses. 

Definition 14. Let q' and q" be assignments in which exactly one variable 
v G Vars(q')D Vars(q") is assigned different values. The assignment q consisting 
of all the assignments of q' and q" but those to v is called the resolvent ofq'.q" 
on v. Assignments q' ,q" are called resolvable on v. 

Proposition 8. Let 3X[F] be an 3CNF formula. Let D-sequents (3X[F], q') — > 
Z and (3X[F],q") —> Z hold. Let q' , q" be resolvable on v € Vars(F) and q 
be the resolvent of q' and q" . Then, the D-sequent (3X[F], q) — > Z holds too. 

Definition 15. We will say that the D-sequent (3X[F],q) — > Z of Proposi- 
tion^is produced by joining D-sequents (3X[F], q') — > Z and (3X[F\, q") — > 
Z at v. 



As we mentioned in Subsection 3.1 the operation join preserves only virtual 
redundancy of D-sequents. The reason is as follows. , A point p that is removable 
in F q may not be removable in F (see Remark V\\. A similar situation may occur 
when joining D-sequents (3X[F], q') — > Z and A3X[F], q") — » Z to produce D- 
sequent (3X[F],q) — > Z (sec Definition[l5| . Let A(q) denote the set of all points 
obtained by adding to q assignments to the variables of Vars(F)\ Vars(q). Then 
a point p not removable in A(q') U A(q") may be removable in A(q) in case F 
is satisfiable in the former and unsatisfiable in the latter. This may happen if 
A(q)cA(q')UA(q"). 



5 Description of DDS 

In this section, we describe a QE algorithm called DDS (Derivation of D- 
Sequents). DDS derives D-sequents (3A[F],r) — > {x} stating the redundancy 
of one variable of X. From now on, we will use a short notation of D-sequents 
writing r — > {x} instead of (3A[F], r) — > {x}. We will assume that the param- 
eter 3A[_F] missing in r — > {x} is the current 3CNF formula (with all resolvent 
clauses added to F so far). One can omit 3X[F] from D-sequents because Propo- 
sition [7] entails that once a D-sequent S equal to (3X[F),r) — > {x} is derived 
by DDS it holds in any future branch q where S is active. D-sequent S is said 
to be active in branch q if r < q. 

A description of DDS is given in Figure [l] DDS accepts an 3CNF for- 
mula 3X[.F] (denoted as £), an assignment q to Vars(F) and a set fl of ac- 
tive D-sequents stating redundancy of some variables of X\ Vars(q) in 3A[i 7 ' (? ]. 
DDS returns a modified formula 3A[F] (where resolvent clauses have been added 



to F) and a set SI of active D-sequents stating redundancy of every variable of 
X \ Vars(q) in [i 7 ^]. DDS also returns the answer sat if F q is satisfiable. If 
F q is unsatisfiable, DDS returns the answer unsat and a clause of F falsified by 
q. To build a CNF formula equivalent to £, one needs to call DDS with q = 0, 
SI = and discard the X-clauses of the CNF formula F returned by DDS. 



5.1 The Big Picture 



l/£ denotes 3X[F] 

II q is an assignment to Vars(F) 

I/O denotes a set of active D-sequents 

DDS(£,q,I2){ 

1 

2 
3 
4 
5 
6 
7 
8 
9 

10 
11 
12 
13 
14 
15 
16 



(fl, ans, C) <s— atomic JD _segs(£, q, fl); 
if (ans = sat) return(£, fl, sat); 
if (ans = unsat) return(£, SI, unsat, C); 
v := pick_variable(F, q, SI); 
(£, fl, ans , Co) <^DDS(£,q U {(« = 0)},fl); 

(fl s » m , rr sym ) 4- fl,«); 

if (fi asHm = 0) return^, fl, ans , Co); 
fl := fl\ fl as!,m ; 

(£,fl, onsi,Ci) 4—DDS(£,q U {(« = l)},fl); 
if ((anso = unsat) and (ansi = ttrasai)){ 



C := resolve_clauses(Co, Ci, w); 
F :=FAC; 

fl := process -unsat-dause(F, C, fl); 
return(£, fl, unsat, C);} 
fl := merye(^,q,v,n aaym ,n); 
return(^, fl, sat);} 

Fig. 1. DI?^ procedure 



First, DDS looks for variables 
whose redundancy is trivial to 
prove (lines 1-3). If some vari- 
ables of X \ Vars(q) are not 
proved redundant yet, DDS picks 
a branching variable v (line 4). 
Then it extends q by assignment 
(v = 0) and recursively calls itself 
(line 5) starting the left branch of 
v. Once the left branch is finished, 
DDS extends q by (v = 1) and 
explores the right branch (line 9). 
The results of the left and right 
branches are then merged (lines 
10-16). 

DDS terminates when for ev- 
ery variable x of X \ Vars(q) it 
derives a D-sequent g — > {x} 
where g < q. According to 
Proposition |1J derivation of such 
D-sequents means that the D- 



sequent q — > X \ Vars(q) holds. 
Proposition [2] is applicable here because once a variable x of X \ Vars(q) is 
proved redundant in 3X[F q ], every {x}-clause of F q is marked as redundant. A 
redundant clause is ignored by DDS until it is unmarked as non-redundant. So, 
DDS terminates when the QE problem is solved for £ in subspace q. 



5.2 Building Atomic D-sequents 

Procedure atomic-D_seqs is called by DDS to compute D-sequents for triv- 
ial cases of variable redundancy listed in Subsection |3.2| We refer to such D- 
sequents as atomic. Lines 1-3 of Figure [2] show what is done when F contains 
a clause C falsified by q. In this case, due to Proposition |6j for every vari- 
able of x E X \ Vars(q) for which SI does not contain a D-sequent yet, the 
D-sequent g — > {x} is generated and added to SI. Here g is the shortest assign- 
ment falsifying C . Once SI contains a D-sequent for every variable of X\ Vars(q), 
atomic _D_seqs terminates returning the answer unsat, set SI and clause C. 



7 return(J7, unknown)} 
Fig. 2. atomic-D_seqs procedure 



atomic-D-seqs(£,,q,n){ Suppose no clause of F is falsified 

1 if (3 clause C G F falsif. by q){ by q. Then for every variable x of X \ 

2 fl:= process _unsat _clause(£, C,fi); Vars{q) that does not have a D-sequcnt 

3 return(fi, unsat, C);} in S7 and is blocked, a D-sequent is built 

4 (2:=new_redund_vars(£,q,n); as explained below. This D-sequent is 

5 if (alLunassgn-vars.redundfaq, J?)) then added to q (line 4). If every vari- 
! able oiX \ Vars{q) has a D-sequent in 

J?, then is satisfiable. (If F q is un- 
satisfiable, the variables of X \ Vars(q) 
can be made redundant only by adding 
a clause falsified by q.) So, the answer sat and set 12 is returned (line 6). 

Given a blocked variable x E X \ Vars(q) of F q , a D-sequcnt g — > {x} is 
built as follows. The fact that x is blocked in F q means that for any pair of 
clauses C",C" resolvable on x, C or C" is either satisfied by q or redundant 
(as containing a variable proved redundant in 3X[i 7, q ] earlier). Assume that it 
is clause C". The assignment g is a subset of assignments of q such that C is 
satisfied by g or redundant in 3X[F g ] and so x is blocked in F g . If C is satisfied 
by q, then g contains an assignment of q satisfying C . If C is not satisfied 
by q but contains a variable x* proved redundant earlier, g contains all the 
assignments of g* where g* —> {x*} is the D-sequent of Q stating redundancy 
of x* . A proof of correctness of g — > {x} is given in the Appendix (Lemma [6]). 



5.3 Selection of a Branching Variable 



Let q be the assignment DDS is called with and X re d be the set of variables of X 
whose D-sequents are in the current set Q. Let Y = Vars(F)\X . DDS branches 
only on a subset of free (i.e., unassigned) variables of X and Y. Namely, a 
variable x E X \ Vars(q) is picked for branching only if x $ X rec i- A variable 
y E Y \ Vars(q) is picked for branching only if it is not detached. A variable y 
of Y \ Vars(q) is called detached in F q , if every {y}-clause C of F q that has at 
least one variable of X is redundant (because C contains a variable of X re d). 

Although Boolean Constraint Propagation (BCP) is not shown explicitly in 
Figure [I] it is included into the pick-variable procedure as follows: a) preference 
is given to branching on variables of unit clauses of F q (if any); b) if v is a 
variable of a unit clause of C of F q and v is picked for branching, then the value 
falsifying C is assigned first to cause immediate termination of this branch. In 
the description of DDS we give in Figure [lj the left branch always explores 
assignment v = but obviously v = 1 can be explored first too. 

To simplify making the branching variable v redundant when merging results 
of the left and right branches, DDS first assigns values to variables of Y (more 
details are given in Subsection 5.5). This means that pick_variable never selects 
a variable x E X for branching, if there is a free non-detached variable of Y. 
In particular, BCP does not assign values to variables of A if a non-detached 
variable of Y is still unassigned. 



5.4 Switching from Left to Right Branch 



DDS prunes big chunks of the search space by not branching on redundant 
variables of X or detached variables of Y. One more powerful pruning technique 
of DDS discussed in this subsection is to reduce the size of right branches. 

Let g — > {x} be a D-sequent of the set Q computed by DDS in the left 
branch v = (line 5 of Figure [lj. Notice that if g has no assignment (u=0), 
variable x remains redundant in 3X[F qi ] where q\ = q U {(v = 1)}. This is 
because g — > {x} is still active in the subspace specified by q-y. DDS splits the 
set Q into subsets Q sym and Q as y m of D-sequents symmetric and asymmetric 
with respect to variable v (line 6) . We call a D-sequent g — > {x} symmetric with 
respect to v, if g does not contain an assignment to v and asymmetric otherwise. 

Denote by X sym and X asym the variables of X re( ]\ Vars(q) whose redundancy 
is stated by D-sequents of fl sym and /2 asym respectively. Before exploring the 
right branch (line 9), the variables of X asym become non-redundant again. Every 
clause C of F q with a variable of X asym is unmarked as currently non-redundant 
unless Vars(C) n X sym ^ 0. 

Reducing the set of free variables of the right branch to X asym allows to 
prune big parts of the search space. In particular, if X asym is empty there is 
no need to explore the right branch. In this case, DDS just returns the results 
of the left branch (line 7). Pruning the right branch when X asyrn is empty is 
similar to non-chronological backtracking well known in SAT-solving |20j . 



5.5 Branch Merging 

Let qo = gU {(v — 0)} and q± — qi){(v = 1)}. The goal of branch merging is to 
extend the redundancy of all unassigned variables of X proved in 3X[F qo ] and 
3J s T[i 7 qi ] to formula 3X[i 7 q ]. If both F qo and F qi turned out to be unsatisfiable, 
this is done as described in lines 11-14 of Figure [TJ In this case, the unsatis- 
fied clauses Cq and C% of F qo and F qi returned in the left and right branches 
respectively are resolved on v. The resolvent C is added to F. 

Since F contains clause C that is falsified by q, for every variable x € X \ 
Vars(q) whose D-sequent is not in f2, DDS derives an atomic D-sequent as 
described in Subsection 5.2 This D-sequent is then added to fl. If, say, v ^ 
Vars{C\), then resolve-dauses (line 11 ) returns C± itself since C\ is falsified by 
q (and so no new clause is added to F). 



merged, q,v,n asym ,Q){ 
1 n := jovn_D_seqs(v, Q asym , Q) 



If at least one branch returns an- 
swer sat, then DDS calls procedure 



2 if (v e X) merge described in Figure [3j First, 

3 S7 ■- nu {D_seqjor_v{F,q,v,n)}; merge takes care of the variables of 



4 return(J?);} X asym (see Subsection [Oj). Note that 

redundancy of variables of X asym is al- 
Fig. 3. merge procedure ready proved in both branches. If a D- 

sequent of a variable from X asym re- 
turned in the right branch is asymmetric in v, then join_D_seqs (line 1) replaces 
it with a D-sequent symmetric in v as follows. 

Let x G x asym and So and Si be the D-sequents stating the redundancy of 
x derived in the left and right branches respectively. Then join_D_seqs joins So 



and Si at v producing a new D-sequent S. The latter also states the redundancy 
of x but does not depend on v. D-sequent Si is replaced in f2 with S. If Si itself 
does not depend on v, no new D-sequent is produced. Si remains in Q as the 
D-sequent for variable x in F q . 

Finally, if the branching variable v is in X, DDS derives a D-sequent stating 
the redundancy of v. Notice that v is not currently redundant in 3X[_F , q ] because 
DDS does not branch on redundant variables. As we mentioned in Subsection |5.3[ 
the variables of Y = Vars(F) \ X are assigned in DDS before those of X. This 
means that before v was selected for branching, all free non-detached variables of 
Y had been assigned. Besides, every variable of X \ Vars(q) but v has just been 
proved redundant in ElA^i 7 ^]. So, F q may have only two types of non-redundant 
clauses: a) clauses having only detached variables of Y; b) unit clauses depending 
on v. Moreover, these unit clauses cannot contain literals of both polarities of 
v because merge is called only when either branch v = or v = 1 is satisfied. 
Therefore, v is monotone. An atomic D-sequent S stating the redundancy of 
v is built as described in Subsection 5.2 and added to J? (line 3). Then merge 
terminates returning fl. 



5.6 Correctness of DDS and Example 



/ x is - 
\monot.. 

C 3 is 
falsif. 

'd is 
. falsif. 



Y2 



/ x is - 
\monot.. 

C 2 is 
falsif./ 



Fig. 4. Search tree built 
by DDS 



Let DDS be called on formula £ = 3X[F] with q = 
and Q = 0. Informally, DDS is correct because a) the 
atomic D-sequents built by DDS are correct (i.e. they 
correctly describe redundancy of quantified variables 
in subspaces); b) joining D-sequents produces a cor- 
rect D-sequent; c) by the time DDS backtracks to 
the root of the search tree, for every variable x 6 X, 
D-sequent — > {x} is derived. Due to Proposition |4j 
this implies that the D-sequent — > X holds for the 
formula 3X[F] returned by DDS. 

Proposition 9. DDS is sound and complete. 

Example 2. Let 3X [F] be an 3CNF formula where 
F = Ci A C 2 , Ci = yi V x, C 2 = y 2 V x and 
X = {x}. To identify a particular DDS call we will 
use the corresponding assignment q. For example, 



DDS (?/! =i,2/,=o) means that the assignments yi = 1 
and 2/2=0 were made at recursion depths and 1 respectively. So the cur- 
rent recursion depth is 2. Originally, assignment q is empty so the initial call 
is DDS The work of DDS is shown in Figures |4j [5] used below to illustrate 
various aspects of DDS. 

Branching variables. Figure [4] shows a search tree built by DDS. Recall that 
DDS branches on variables of Vars(F) \ X = {yi,y 2 } before those of X (see 
Subsection 5.3 1. 



Leaves. The search tree of Figure[3]has four leaf nodes shown in dotted ovals. 
In each leaf node, variable x is either assigned or proved redundant. For example, 
x is proved redundant by DDS \ yi= o) an d assigned by DDSf yi —i . V2= o. x =i)- 



Generation of new clauses. DDS (y 1= i,y 2 =o) generates a new clause after 
branching on x. DDS ly^—i^—Q^ x= u returns C\ as a clause of F that is empty in 
-F(j /1 =i,j /2 =o,x=i)- Similarly, DDS ( yi= i^ V2= o , x =o) returns C2 because it is empty 



in F( yi=liV2= Q iX=Q y As described in Subsection [5751 in this case, DDS resolves 



clauses C\ and C2 on the branching variable x. The resolvent C3 = y 1 V 2/2 is 
added to F. 



Generation of atomic D-sequents. Figure [5] describes derivation of D-sequents 
for the search tree of Figure [4] The atomic D-sequents are shown in dotted 
ovals. (Dotted boxes show D-sequents obtained by the join operation.) For in- 
stance, DDSr yi =o) generates D-sequent Si equal to (yi =())—>• {x}. Si holds 
because F^ yi= f ) - ) —y 2 V x and so a; is a blocked (monotone) variable of Fr yi —Q\. 
The atomic D-sequent S2 is derived by DDS ( yi =i,y 2 =o)- As we mentioned above, 



DDS 



(Wl = l)l/2 : 



= o) adds clause C3 = 2/1V2/2 to F. This clause is empty in F( 



!fi=li 1(2=0) • 



So D-sequent S2 equal to (2/1 = 1,2/2=0) — » {x} is generated where (2/1 = 1,2/2 = 0) 
is the shortest assignment falsifying C3. 



Q={S 5 }, 

yi 



(yi=o)- 



Si} N 
->{x} 



0/\1 



Y2 



n={S 4 } 



((yi 
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S 2 f 
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•{x} 
Q=0 



q (y? 

n=0 



{S 3 } 

=iH{x>. 



Fig. 5. Derivation of D-sequents 



Switching from left to right branch. 
Let us consider switching between 
branches by DDS^) where 2/1 is picked 
for branching. The set of D-sequcnts 
J2(0) returned by the left branch equals 
{Si} where Si is equal to (2/1 = 0) — > 
{a;}. The only clause yi V a; of F( yi=0 - ) 
is marked as redundant because it con- 
tains x that is currently redundant. Be- 
fore starting the right branch 2/1 = 1, 

subsets 



DDSm\ splits 4?(0) into 



and i!2(0) of D-sequents respectively 
symmetric and asymmetric in yi . Since 



the only 
on yi 



D-sequent of fit 



(0) depends 
and J2?0\ m =0. 
DDS(tfi) removes D-sequent Si from 



then O as y m - 

I' L I A J. 1 



fl because Si becomes inactive if yi = 1. So, before DDS ( yi =i) is called, vari- 
able x becomes non-redundant and clause C2 = 2/2 V x is unmarked as currently 
non-redundant . 



Branch merging. Consider how branch merging is performed by DDSr yi =i)- 
In the left branch 2/2 = 0, the set Qr yi —i\={S2} is computed where 5*2 is (2/1 = 
1,2/2 = 0) — > {x}. Since 6*2 depends on 2/2, then J7?*^^^=i7( yi= i). In the right 
branch 2/2 = 1, the set ^7( yi= i)={S l 3} is computed where S3 is (2/2 = 1) —> {x}. 
By joining S2 and S3 at z/ 2l D-sequent S4 is derived that equals (7/1 = 1) — » {x}. 
S4 states redundancy of x in Fr yi —iy 

Termination. When DDS^ terminates, F = C1AC2AC3 where C3 = |7i V2/2 
and D-sequent — > {x} is derived. By dropping Ci, C 2 as X-clauses one obtains 
C 3 = 3X[CiAC 2 \. 



6 Compositionality of DDS 



Let F = Fx A ... A Fk where Vars(F l ) n Vars{F J ) = 0, i ^ j. We will say 
that an algorithm solves the QE problem specified by 3X[F] compositionally 
if it breaks this problem down into k independent subproblems of finding Gi 
equivalent to 3X[-Fj]. A formula G equivalent to [i* 1 ] is then built as G\ A 
...AG fe . 

Our interest in compositional QE algorithms is motivated as follows. First, 
a non-compositional algorithm has poor scalability. Second, even if the original 
formula F is not a conjunction of independent subformulas, such subformulas 
may appear in subspaces of the search space during branching. Notice that a 
QE algorithm that resolves out variables one by one as in the DP procedure [TT] 
is compositional. (Clauses of F{ and Fj, i ^ j cannot be resolved with each 
other). However, such an algorithm cannot take into account subtle properties 
of the formula and hence may have abysmal performance. Suppose, for example, 
that F does not have independent subformulas but such subformulas appear 
in subspaces x — and x = 1 where x € X. A compositional branching QE 
algorithm can make use of this fact in contrast to its counterpart eliminating 
quantified variables globally i.e. for all subspaces at once. 

A QE algorithm based on enumeration of satisfying assignments is not com- 
positional. The reason is that the set of assignments satisfying F is a Cartesian 
product of those satisfying Fj,i = 1, . . . , k. So if, for example, all F t are identical, 
the complexity of an enumeration based QE algorithm is exponential in k. A QE 
algorithm based on BDDs [5] is compositional only for variable orderings where 
variables of Fj, and Fj, i ^ j do not interleave. 

Now we show the compositionality of DDS. By a decision branching variable 
mentioned in the proposition below, we mean that this variable was not present 
in a unit clause of the current formula when it was selected for branching. 

Proposition 10 (compositionality of DDS). Let T be the search tree built by 
DDS when solving the QE problem 3X[F X A ... A Fk] Vars(F t ) n Vars^Fj) = 0, 
i 7^ j. Let Xi = Ifl Vars(Fi) and Yi = Vars(Fi) \ X. The size of T in the 
number of nodes is bounded by | Vars(F)\ ■ (f](Xx U Yi) + . . . + r]{X k U Y k )) where 
T)(Xi yjYi) = 2 • 3l^i uy il . (jXi \ + 1), i — 1, . . . , k no matter how decision branching 
variables are chosen. 



Proposition 10 is proved for a slightly modified version of DDS (see Ap- 
pendix). Notice that the compositionality of DDS is not ideal. For example, if 
all subformulas Fi are identical, DDS is quadratic in k as opposed to being linear. 
Informally, DDS is compositional because D-sequents it derives have the form 
g — > x where Vars(g) U {x} C Vars(Fi). The only exception are D-sequents 
derived when the current assignment falsifies a clause of F. This exception is the 
reason why the compositionality of DDS is not ideal. 



7 Experimental Results 



We compared DDS with a QE algorithm based on enumeration of satisfying 
assignments [7] (courtesy of Andy King). We will refer to this QE algorithm 



as EnumSA. We also compared DDS with the QE algorithm of [13] that we 
will call QE-GBL. Given a formula 3X[F], QE-GBL eliminates variables of X 
globally, one by one, as in the DP procedure. However, when resolving out a 
variable x € X, QE-GBL adds a new resolvent to F only if it eliminates an 
{x}-removable {:r}-boundary point of F. Variable x is redundant in 3a;[.F] if 
all {x}-removable {x}-boundary points of F are eliminated. QE-GBL docs not 
generate so many redundant clauses as DP, but still has the flaw of eliminating 
variables globally. 

We used QE-GBL for two reasons. First, DDS can be viewed as a branching 
version of QE-GBL. So it is interesting to check if branching is beneficial for 
QE algorithms. Second, one can consider QE-GBL as an algorithm similar to 
that of [15] . The latter solves 3x[F(x, Y)] by looking for a Boolean function 
H(Y) such that F(H(Y),Y) = 3x[F(x, Y)]. We used QE-GBL to get an idea 
about the performance of the algorithm of [15] since it was not implemented as 
a stand-alone tool. 



Table 1. Experiments with model checking formu- 
las. The time limit is lmin 



model cho- 
king mode 


EnumSA 


QE-GBL 


DDS 


solved 

(%) 


time 
(s.) 


solved 

(%) 


time 
(s.) 


solved 

(%) 


time 
(s.) 


forward 


425 (56%) 


466 


561 (74%) 


4,865 


664 (87%) 


1,530 


backward 


97 (12%) 


143 


522 (68%) 


2,744 


563 (74%) 


554 



pie, proof-of-the-concept implementation of DDS 
plementation can be found in Appendix. 



Our implementation of 
QE-GBL was quite effi- 
cient. In particular, we em- 
ployed Picosat 5J for find- 
ing boundary points. On 
the other hand, in experi- 
ments, we used a very sim- 
More details about this im- 



EnumSA 
QE-GBL 
DDS 



In the first two experiments (Ta- 
ble[l]), we used the 758 model check- 
ing benchmarks of HWMCC'10 
competition 24 . In the first ex- 
periment (the first line of Table [IJ 
we used EnumSA, QE-GBL and 
DDS to compute the set of states 
^leach reachable in the first tran- 
sition. In this case, CNF formula 
F describes the transition relation 
and the initial state. CNF formula G 
equivalent to 3X[F] specifies S]. each . 



Number of solved formulas 



Fig. 6. Forward model checking (1 itera- 
tion) 



In the second experiment, (the 
second line of Table [T]) we used 
the same benchmarks to compute 
the set of "bad" states in backward 
model checking. In this case, F spec- 
ifies the output function and the property in question. If F evaluates to 1 for 
some assignment p to Vars(F), this property is broken and the state given by 
the state bits of p is bad. Formula G equivalent to 3X [F] specifies the set of all 
bad states (that may or may not be reachable from the initial state). 
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Number of solved formulas 



Fig. 7. 

ation) 



Backward model checking (1 iter- 



Table [T] shows the comparison of 
the three programs with respect to 
the number of formulas solved, per- 
centage of this number to the to- 
tal number (758) and time taken for 
the solved problems. With 1-minute 
time limit, DDS solved more formu- 
las than EnumSA and QE-GBL in 
forward and backward model check- 
ing. Figures [6] and [7] give the num- 
ber of formulas of Table [I] solved 
by the three programs in t seconds, 
< t < 60. These figures show the 
superiority of DDS over QE-GBL 
and EnumSA on the set of formulas 
we used. The poor performance of 
EnumSA on backward model check- 
ing formulas is due to lack of constrains on next state variables. In the presence 
of such constraints, EnumSA performs much better (see below). 

The size of the 1,227 formulas solved by DDS peaked at 98,105 variables, the 
medium size being 2,247 variables. The largest number of non-quantified (i.e., 
state) variables was 7,880 and 541 formulas had more than 100 state variables. 
The size of resulting formula G peaked at 32,769 clauses, 361 resulting formulas 
had more than 100 clauses. We used Picosat [5] to remove redundant literals 
and clauses of G with the time limit of 4 seconds. Overall, the resulting formulas 
built by DDS were smaller than those of EnumSA and QE-GBL. For instance, 
out of 1069 formulas solved by both DDS and QE-GBL, the size of G built by 
DDS was smaller (respectively equal or larger) in 267 (respectively 798 and 4) 
cases. 

In the experiments above, we 
did not use formula preprocess- 
ing even though it could have 
been beneficial. For instance, the 
forward model checking formulas 
had a lot of unit clauses encod- 
ing the initial state. The back- 
ward model checking formulas had 
many blocked (i.e., redundant) 
clauses |4. The reason is that 
when the original set of bad states 
is computed, the next state variables are not constrained yet. However, when we 
compared the three programs on preprocessed formulas we obtained similar re- 
sults: DDS outperformed EnumSA and QE-GBL. In particular, we generated 
189 backward model checking formulas specifying bad states after a number of 
iterations. The idea was to get formulas were preprocessing simplifications per- 
forming initial BCP and elimination of blocked clauses failed. With 1-minute 
time limit, DDS, QE-GBL and EnumSA solved 185, 163 and 149 formulas out 



Table 2. Applying QE algorithms to con- 
junction of independent formulas. The time 
limit is 1 hour 



#copi- 


(#vars, 


\y\ 


EnumSA 


DDS 


DDS 


es 


^clauses) 




(s.) 


rand (s.) 


(s.) 


5 


(20,30) 


10 





0.01 


0.01 


10 


(40,60) 


20 


10.46 


0.01 


0.01 


15 


(60,90) 


30 


> lhour 


0.01 


0.01 


500 


(2000,3000) 


1000 


> lhour 


1.95 


0.04 



of 189 respectively. Notice that EnumSA performed much better here than in 
the initial iteration. 

The third experiment (Table [5]), clearly shows the compositionality of DDS in 
comparison to EnumSA. In this experiment, both programs computed the out- 
put assignments produced by a combinational circuit N composed of small iden- 
tical circuits N± , . . . , Nk with independent sets of variables. In this case, one 
needs to eliminate quantifiers from 3X [F] where F = F\ A . . . A Ff. . CNF for- 
mula Fi specifies and Vars(Fi) \ X and Vars(Fi) n X are the sets of output 
and non-output variables of iVj respectively. So a CNF formula equivalent to 
3X[F] specifies the output assignments of N. 

The first column of Table [2] shows k (the number of copies of Ni). The next 
two columns give the size of CNF formula F and the number of outputs in circuit 
N. The last three columns show the run time of EnumSA and two versions of 
DDS . In the first version, the choice of branching variables was random. In 
the second version, this choice was guided by the compositional structure of N. 
While DDS solved all the formulas easily, EnumSA could not finish the formulas 
F with k > 15 in 1 hour. Notice that DDS was able to quickly solve all the 
formulas even with the random choice of branching variables. 

8 Background 

The relation between a resolution proof and the process of elimination of bound- 
ary points was discussed in [T3]. In terms of the present paper, [T3] dealt only 
with a special kind of Z-boundary points of formula F where \Z\ — 1. In the 
present paper, we consider the case where Z is an arbitrary subset of the set of 
quantified variables X of an BCNFformula 3A[F]. This extension is crucial for 
describing the semantics of D-sequents. 

As far as quantifier elimination is concerned, QE algorithms and QBF solvers 
can be partitioned into two categories. (Although, in contrast to a QE algorithm, 
a QBF-solver is a decision procedure, they both employ methods of quantifier 
elimination. For the lack of space, we omit references to papers on QE algo- 
rithms that use BDDs |8l9j .) The members of the first category employ various 
techniques to eliminate quantified variables of the formula one by one in some 
order [23 6 2 |15JJJ - For example, in [15], quantified variables are eliminated by 
interpolation. All these solvers face the same problem: there may not exist a good 
single order for variable elimination, which, may lead to exponential growth of 
the size of intermediate formulas. In Subsection [6j we already gave an example 
of this problem. Here is one more. Let q be an assignment to variables of F. If 
formula F q has unit clauses, the variables of such clauses can be eliminated by 
unit resolution, i.e., BCP. In a sense, unit resolution eliminates variables of F q 
in a natural order. However, natural orders in formulas F q i and F q » of different 
branches q' and q" may be incompatible. 

The solvers of the second category are based on enumeration of satisfying or 
unsatisfying assignments 18 T6|12|7|22| . Since such assignments are, in general, 
"global" objects, it is hard for such solvers to follow the fine structure of the 
formula, e.g., such solvers are not compositional. In a sense, DDS tries to take 



the best of both worlds. It branches and so can use different variable orders in 
different branches as the solvers of the second category. At the same time, in 
every branch, DDS eliminates quantified variables individually as the solvers of 
the first category, which makes it easier to follow the formula structure. 

9 Conclusion 

We introduced Derivation of Dependency-sequents (DDS), a new method for 
eliminating quantifiers from a formula 3A[F] where F is a CNF formula. The 
essence of DDS is to add resolvent clauses to F to make the variables of X 
redundant. The process of making variables redundant is described by depen- 
dency sequents (D-sequents) specifying conditions under which variables of X 
are redundant. In contrast to methods based on the enumeration of satisfy- 
ing assignments, DDS is compositional. Our experiments with a proof-of-the- 
concept implementation show the promise of DDS. Our future work will focus 
on studying various ways to improve the performance of DDS, including lifting 
the constraint that non-quantified variables are assigned before quantified vari- 
ables and reusing D-sequents instead of discarding them after one join operation 
(as SAT-solvers reuse conflict clauses). 
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Appendix 

The Appendix is structured as follows. In the first section, we give some 
details of the implementation of DDS we used in experiments. In the following 
sections we provide proofs of the propositions listed in the paper. We also give 
proofs of lemmas that are used in the proofs of propositions. The numbering 
of propositions corresponds to the one of the paper. When we say that the 
variables of a set Z are redundant in 3X[F q ], we mean that they are at least 
virtually redundant in 3X[.Fg] (see Definition 



Some Implementation Details 

In this section, we describe some features of the implementation of DDS we used 
in experiments. We will refer to this implementation as DDSi, np i. 

• In Figure [T] DDS is described in terms of recursive calls. It is more con- 
venient, to consider DDSi mp i as building a search tree. Let n be the node 
of the search tree built by DDSi mp i at which a variable v of Vars(F) is 
assigned. Then the depth Depth(n) of n is equal to the recursion depth at 
which variable v is assigned by DDS. 
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and Remark^]). 



• In DDSimpi, we followed the common practice of using stack for implementing 
branching algorithms. When a new node n of the search tree is created, all 
the relevant information about n is pushed on the stack. When backtracking 
from node n, all the information about n is pushed off the stack. 

• To make the code of DDSi mp i easy to modify, we have not implemented 
optimization techniques like using watched literals to speed up BCP, special 
representation of two-literal clauses and so on. 

• In Figure [lj a D-sequent depending on an assignment to the branching vari- 
able is discarded when the current DDS call terminates. On the other hand, 
keeping such D-sequents may be very beneficial. The reason is that after get- 
ting broken, a D-sequent S stating redundancy of a; € X may become active 
again in a different part of the search space. S can be used in that part of 
the space to avoid branching on x. This is similar to reusing conflict clauses 
to avoid entering the parts of the search space already proved unsatisfiable. 
Nevertheless, to keep DDSi mp i as simple as possible, D-sequent reusing has 
not been implemented. 

• In Figure [TJ if both branches are unsatisfiable, DDS adds the resolvent C 
of clauses Co and C\ falsified in left and right branches respectively. Recall 
that C is falsified by the current assignment q. Let Depih(C) describe the 
maximum recursion depth at which an assignment of q falsifying a literal 
of C is made. In DDSi mp i, clause C is not added to F if another clause C 
falsified by q can be derived later such that Depth (C) < Depth(C). This is 
similar to the conflict clause generation procedure of a SAT-solver. In such a 
procedure, all intermediate resolvents produced in the course of generation 
of a conflict clause are discarded. 

The condition above means that DDSi mp i keeps a resolvent clause C only if 
it is empty or if in the node of the search tree located at depth Depth(C) 

• the left branch is currently explored or 

• the right branch is currently explored and formula F was satisfiable in 
the left branch. 

In terms of a conflict clause generation procedure, DDSi rnp i backtracks to the 
closest decision assignment of the current path of the search tree or to the 
root of the tree if the current path does not have any decision assignments. 

Propositions of Section [2] 

Proposition 1. A Z-boundary point p of F is removable in 3X[F], iff one 
cannot turn p into an assignment satisfying F by changing only the values of 
variables of X . 

Proof: If part. Assume the contrary. That is p is not removable while no satisfy- 
ing assignment can be obtained from p by changing only assignments to variables 
of X. Let Y — Vars(F) \ X and C be a clause consisting only of variables of 
Y and falsified by p. Since p is not removable, clause C is not implied by F. 
This means that there is an assignment s that falsifies C and satisfies F. By 
construction, s and p have identical assignments to variables of Y . Thus, s can 
be obtained from p by changing only values of variables of X. Contradiction. 



Only if part. Assume the contrary. That is p is removable but one can obtain an 
assignment s satisfying F from p by changing only values of variables of X. Since 
p is removable, there is a clause C that is implied by F and falsified by p and 
that depends only of variables of Y. Since s and p have identical assignments to 
variables of Y, point s falsifies C. However, since s satisfies F, this means that 
C is not implied by F. Contradiction □ 

Proposition 2. The variables of Z C X are not redundant in 3X[F] iff there 
is an X -removable W -boundary point of F, W C Z. 

Proof: Let H denote F \ F z and Y denote Vars(F) \ X. Given a point p, let 
(x,y) specify the assignments of p to the variables of X and Y respectively. 
If part. Assume the contrary, i.e., there is an X- removable W-boundary point 
p=(x,y) of F where W C Z but the variables of Z are redundant and hence 
3A[F] = 3X[B]. Since p is a boundary point, F(p) — 0. Since p is removable, 
(3X[F]) y — 0. On the other hand, since p falsifies only W^-clauses of F it satisfies 
H. Hence (3X[H]) y = 1 and so (3X[F]) y (3X[H]) y . Contradiction. 

Only if part. Assume the contrary, i.e., the variables of Z are not redundant 
(and hence 3A[i 7 '] ^ 3X[H}) and there does not exist an A-removable W- 
boundary point of F, W C Z. Let y be an assignment to Y such that (3X[F]) y ^ 
(3X[H]) y . One has to consider the following two cases. 

• (3X[F]) y = 1 and (3X[H]) y = 0. Then there exists an assignment x to X 
such that (x,y) satisfies F. Since every clause of H is in F. formula H is 
also satisfied by p. Contradiction. 

• (3X[F]) y — and (3X[H]) y = 1. Then there exists an assignment x to 
variables of A such that (x,y) satisfies H. Since F y = 0, point (x,y) falsifies 
F. Since H(p) = 1 and every clause of F that is not in H is an Z-clause, 
(x,y) is a VF-boundary point of F where W C Z. Since F y = 0, (x,y) is an 
A-removable VF-boundary point of F. Contradiction □ 

Propositions of Section [3] 

Proposition 3. Let 3X[F] be an 3CNF formula and q be an assignment to 
Vars(F). Let p be a Z -boundary point of F where q < p and ZCX. Then if p 
is removable in 3X[F] it is also removable in 3X[F q ]. 

Proof: Let Y denote Vars(F)\X. Assume the contrary. That is p is removable 
in BAfi 7 ] but is not removable in 3A[F q ]. The fact that p is removable in 3A[F] 
means that there is a clause C implied by F and falsified by p that consists 
only of variables of Y. Since p is not removable in 3X[F q ], from Proposition [T] it 
follows that an assignment s satisfying F q can be obtained from p by changing 
only values of variables of X \ Vars(q). By construction, p and s have identical 
assignments to variables of Y. So s has to falsify C. On the other hand, by 
construction, q < s. So, the fact that s satisfies F q implies that s satisfies F 
too. Since s falsifies C and satisfies F the former cannot be implied by the latter. 
Contradiction □ 



Proposition 4. Let 3X[F] be a CNF formula and q be an assignment to vari- 
ables of F. Let the variables of Z be redundant in 3X[F q ] where Z C (X \ 
Vars(q)). Let a variable v of X\( Vars(q) U Z) be redundant in 3X[F q \ (F q ) z ]. 
Then the variables of Z U {v} are redundant in 3X[F q ]. 

Proof: Assume the contrary, that is the variables of ZU{v} are not redundant. 
Then from Definition 10 it follows that F q has a Z'-boundary point p where 



Z' C ZU {v}, q < p that is X-removable both in F q and F. Let us consider the 
two possible cases: 

• v $l Z' (and so Z' C Z). Since p is removable both in F q and F, the variables 
of Z are not redundant in 3X[F q ]. Contradiction. 

• v G Z' (and so Z' % Z). Then p is a {w}-boundary point of F q \ {F q ) z '. 
Indeed, there has to be a clause C of F q falsified by p that contains variable 
v. Otherwise, condition c) of the definition of a boundary point is broken 
because v can be removed from Z' (see Definition [7]) . 

Let P denote the set of all 2 |x \ (yars(q)uZ)l points obtained from p by flipping 
values of variables of X \ (Vars(q) U Z). Let us consider the following two 
possibilities. 

• Every point of P falsifies F q \ (F q ) z . This means that the point p is a re- 
movable {v}- boundary point of F q \{F q ) z . Since v is virtually redundant 
in F q \ {F q ) z then point p cannot be removable in F. Contradiction. 

• A point d of P satisfies F q \ (F q ) z . Let us consider the following two 
cases. 

• d satisfies F q . This contradicts the fact that p is an X-removable 
Z'-boundary point of F q . (By flipping variables of X \ Vars(q) one 
can obtain a point satisfying F q .) 

• d falsifies some clauses of F q . Since F q and F q \ (F q ) z are different 
only in Z-clauses, d is a Z"-boundary point of F q where Z" C Z. 
By construction, p and d are different only in values of variables of 
X. So, the fact that p is an X-removable Z'-boundary point of F q 
implies that d is an X-removable Z"-boundary point of F q . Since 
the variables of Z are virtually redundant in _F q , point d cannot 
be removable in 3X[F]. This means that d can be turned into an 
assignment satisfying F by changing only values of variables of X. 
Then the same applies to p. Hence p is not removable in 
Contradiction □ 



Lemma 1. Let p be a {v}-boundary point of CNF formula G{Z) where 

Let p' be obtained from p by flipping the value of v. Then p' either satisfies G 

or it is also a {v}-boundary point of G. 

Proof: Assume the contrary, i.e., p' falsifies a clause C of G that does not have 
a literal of v. (And so p' is neither a satisfying assignment nor a {i>}-boundary 
point of G.) Since p is different from p' only in the value of v, it also falsifies C. 
Then p is not a {u}-boundary point of G. Contradiction □ 



Proposition 5. Let 3X[F] be an 3CNF formula and q be an assignment to 
Vars(F). Let a variable v of X \ Vars(q) be blocked in F q . Then v is redundant 
in 3X[F q }. 

Proof: Let us show that v is redundant in 3X[.Fg] in terms of Definition [5] and 
hence it is also virtually redundant in 3X[i<g]. Assume the contrary that is v is 
not redundant in in terms of Definition [5] Then there is an X-removable 

{v}-boundary point p of F q . Note that the clauses of F q falsified by p have the 
same literal l(v) of variable v. Let p' be the point obtained from p by flipping 
the value of v. According to Lemma [lj one needs to consider only the following 
two cases. 

• p' satisfies F q . Since p' is obtained from p by changing a variable of X, p is 
not J*f -removable in F q . Contradiction. 

• p' falsifies only the clauses of F q with literal l(v). (Point p' cannot falsify 
a clause with literal l(v).) Then there is a pair of clauses C and C of F q 
falsified by p and p' respectively that have opposite literals only of variable 
v. Hence v is not a blocked variable of F q . Contradiction □ 

Proposition 6. Let 3X[F] be an 3CNF formula and q be an assignment to 
Vars(F). Let F q have an empty clause. Then the variables of X \ Vars(q) are 
redundant in 3X[F q ]. 

Proof: Let us show that the variables of X \ Vars(q) are redundant in 3X[F q ] 
in terms of Definition [5] and hence they are also virtually redundant in 3JT[i*g]. 
According to Proposition^ non-redundancy of variables of X\ Vars(q) in 3X[F q ] 
implies the existence of a Z-boundary point where Z C (X\ Vars(q)). However, 
the set of Z-boundary points of F q is empty. Indeed, on the one hand, F q contains 
an empty clause C that is falsified by any point. On the other hand, according 
to Definition [7J if p is a Z-boundary point, then Z is a non-empty set that has 
to contain at least one variable of every clause falsified by p, in particular, a 
variable of clause C □ 

Propositions of Section [4] 

Proposition 7. Let 3X[F] be an 3CNF formula. Let H = F A G where F 
implies G. Let q be an assignment to Vars(F). Then if (3X[F], q) — > Z holds, 
the D-sequent (3X[H],q) — > Z does too. 

Proof: Assume the contrary, i.e., (3X[F],q) — > Z holds but (3 X[H],q) -» Z 
does not. According to Definition [l3j this means that variables of Z are not 
(virtually) redundant in H q . That is, there is an A-removable Z'-boundary point 
p of H q where Z'CZ that is also A-removable in F. The fact that the variables 
of Z are virtually redundant in F q means that either 

1 . p is not an A-removable Z"-boundary point of F q where Z" C Z or 

2. p is an X-removable Z"-boundary point of F q but it is not X-removable in 
F. 



Let us consider the first case above. The three reasons for p not to be an X- 
removable Z"-boundary point of F q . 

• p satisfies F q . Then it also satisfies H q and hence cannot be a boundary 
point of H q . Contradiction. 

• p is not a ^''-boundary point of F q where Z" C Z . That is p falsifies a clause 
C of F q that does not contain a variable of Z. Since H q also contains C, 
point p cannot be an ^'-boundary point of H q where Z' C Z. Contradiction. 

• p is a ^''-boundary point of F q where Z" C Z but it is not X-removable 
in F q . This means that one can obtain a point s satisfying F q by flipping 
values of variables of X \ Vars(q) in p. Since s also satisfies H q , one has to 
conclude that p is not a removable point of H q . Contradiction. 

Now let us consider the second case above i.e. p is an A-removable ^''-boundary 
point of F q but it is not X-removable in F. Then one can turn p into an as- 
signment s satisfying F by changing only values of variables of X. Since s also 
satisfies H, point p cannot be A-removable in H . Contradiction □ 

To show the correctness of join operation (Proposition [8]), we need to prove 
the lemma below. 

Lemma 2. Let 3X[F] be an 3CNF formula, q be an assignment to variables of 
Vars(F). Let Z be a subset of variables of X that are redundant in 3X[F q }. Let 
Z' C Z. Then the variables of Z' are also redundant in 3X[F q ]. 

Proof: Assume the contrary, i. e. , the variables of Z' are not virtually redundant 
in F. Then there is a ^''-boundary point p that is removable both in 3X[F q ] 
and 3X[F] where q < p and Z" C Z' . This means that p cannot be turned 
into an assignment satisfying F by changing values of variables of X. Since Z" 
is also a subset of Z, the existence of point p means that the variables of Z are 
not redundant in either. Contradiction □ 

Proposition 8. Let 3X\F\ be an 3CNF formula. Let D-sequents (3X[F], q') — > 
Z and (3X[F],q") —> Z hold. Let q' , q" be resolvable on v € Vars(F) and q 
be the resolvent of q' and q" . Then, the D-sequent (3X[F], q) Z holds too. 

Proof: Assume the contrary, that is the variables of Z are not redundant in 
3X[F q ]. Then there is a W^-boundary point p where W C Z and q < p that 
is removable both in 3A[F q ] and in 3X[F]. By definition of q, the fact that 
q < p implies that q' < p or q" < p. Assume, for instance, that q' < p. From 
Lemma [2| it follows, that the variables of W are redundant in F q > as a subset 
of set Zwhose variables are redundant in 3X[F q ']. Since q' < p and p is a 
VF-boundary point of F q , point p is also a PF-boundary point of F q i. The fact 
that p is removable in 3A[F] implies that the variables of Z are not redundant 
in 3X[F q ']. Contradiction □ 

Proposition of Section [5] 

The objective of this Section is to prove the correctness of DDS (Proposition [9]). 
To reach this objective, we need to introduce a few new definitions and prove 
several lemmas. 



Definition 16. Let 3X[F] be an BCNFformula, q be an assignment to Vars(F) 
and Z C (X\ Vars(q)). We will call D-sequent (3X[F],q) — > Z single-variable 
if\Z\=l. 

Definition 17. Let q' and q" be assignments to variables of a CNF formula F. 
We will call these assignments consistent if no variable of Vars(q')C\ Vars{q") 
has different values in q' and q" . Let q' and q" be consistent. We will call the 
assignment consisting of all assignments of q' and q" the union of q' and q" . 

Definition 18. Let fi be a set of single- variable D-sequents for an 3CNF for- 
mula 3X[F]. We will say that fi is consistent if for any pair of D-sequents 
(3X[F],q') ->• {v'} and (3X[F],q") ->• {v"} of fi assignments, q' and q" are 
consistent. 

Definition 19. Let fi be a consistent set of D-sequents for an 3CNF formula 
3X[F}. Denote by X n the set of all variables of X whose redundancy is stated by 
D-sequents of fi. Ln the following write-up we assume that \X n \ = \ f2\. That 
is for every variable v of X n , set fi contains exactly one D-sequent stating 
the redundancy of v. Let Z be a subset of X n . Denote by fl(Z) the subset of 
fi stating the redundancy of variables of Z. 

Definition 20. Let fi be a consistent set of D-sequents for an 3CNF formula 
3X[F\. Denote by a n the assignment that is the union of the assignments of all 
g occurring in D-sequents (3X[F],g) — > {v} of fi. We will call a n the axis of 
fi. 

Definition 21. Let fi be a consistent set of D-sequents for an 3CNF formula 
3X[F\. We will call D-sequent (3X[F],a n ) -> X n the mergence D-sequent 
for fi. We will call set fi mergeable if the mergence D-sequent of fi holds for 
3X[F}. 

Definition 22. Let be a consistent set of D-sequents for an 3CNF formula 
3X\F\. Let a total order -< be specified on X Q i.e. for any pair of variables 
v',v" e X n , v' 7^ v" , either v' -< v" or v" -< v' holds. We will call set fl with 
order -< an ordered set of D-sequents. We will say that -< is a constructive 
order if for every variable v e X Q , the D-sequents (3X[F \ F z uZ ], g) — > {v} 
hold where Z' C ' Z <v , Z" C Z <v and 

1. Z <v is the set of variables of X n preceding v with respect to order -<. 

2. Variable w of Z <v is in Z' iff s < g holds where (3X[F],s) — > {w}, 
(3X[F],g) — > {v} are the D-sequents of fi stating the redundancy ofw,v. 

3. Z" is any subset of variables of Z <v \ Z' . 

Lemma 3. Let D-sequent (3X[F],q) — > Z hold and r be an assignment such 
that q < r. Then D-sequent (3X[F],r) — > Z holds too. 

Proof: Assume the contrary i.e. (3X[F],r) -4- Z docs not hold. Then there 
is a point p where r < q such that p is an X-removable Z'-boundary point of 
F r that is also X-removable in F. Since q < r, the sets of clauses of F falsified 
by p in F q and F r are the same. So p is a Z'-boundary point of F q . Since p 



is A-removable in F it is also A-removable in F q . (Assume the contrary i.e. p 
is not A-removable in F q . Then an assignment s obtained from p by flipping 
values of variables of A \ Vars(q) satisfies F q . Hence s satisfies F as well and so 
p is not A-removable in F.) Then we have to conclude that the variables of Z 
are not redundant in 3A[i 7, q ]. Contradiction □ 

Lemma 4. Let fl be a consistent set of D-sequents for an 3CNF formula 
3X[F]. Let there exist a constructive order ~< on X n . Then any non-empty 
subset W of fl is a mergeable set of D-sequents. 

Proof: Denote by <P the set comprising every D-sequent (3X[F],g) —> {v} 
of W and every D-sequent of fl specifying redundancy of variables of every 
set Z' (see condition 2 of Definition [22| . First we prove that the D-sequent 
(3A[F],a # ) -> A* holds where a* is the axis for <L>. The fact that this D- 
sequent holds implies that D-sequent (3X[F],a*) — > A* does too. Indeed, due 
to condition 2 of Definition [22ja* = a*. So {3X[F], a*) X* holds. Besides, 
since A* C A*, from Lemrna[2]it follows that the D-sequent (3A[F], a^) — > A* 
holds and so & is mergeable. 

We prove the correctness of the D-sequent (3A[F], a*) — > X® by induction 
in the size of <L>. 



Base step. Assume \<P\ = 1. According to Definition 22 if <P contains only one 
D-sequent S, then the mergence D-sequent is equal to S and so it holds. 

Inductive step. Assume that D-sequent (3X[F],a*) — > X® holds if \<P\ = 
k. Let v be the variable following the variables of A* with respect to order 
-<. Denote by S the D-sequent (3X[F],g) — > {v} of fl stating redundancy 



of v. Since ~< is constructive, then according to Definition 22 a D-sequent 
{3X[F\F z ],g) {v} holds where Z = A*. 

Let a* u -t s > be the axis for $ U {S}. By construction, g <a #u { s > and 
a* <a* LJ { s '}. So according to Lemma R the D-sequents (3A[F],a #u { s >) 



X 4 ' and (3X[F \ F z ],a* u { s >) -> {w} hold. Finally, taking into account that 
Z = A*, from Proposition [I] it follows that the D-sequent (3X[F],a 0u ^) 
— > X 4 ' U {v} holds. So the set of D-sequents <L> U {S} is mergeable. 

Definition 23. Let fl be a consistent set of D-sequents for an 3CNF formula 
3X[F]. Let H denote the set of variables Vars(F) \ (X n U Vars(a n )) where 
a n is the axis of fl. Let denote a set of k orders {-<%, ■ ■ ■ , -<k} specified 

on variables of X n . We will call a constructive multi-order if for every 
complete assignment q to the variables of H there is an order -<i of that is 
constructive for formula F in subspace q. 

Lemma 5. Let fl be a consistent set of D-sequents for an 3CNF formula 
3X\F\. Let there exist a constructive multi-order on X n . Then any non- 
empty subset of fl is mergeable. 

Proof: Let q be an arbitrary complete assignment to the variables of H . Then 
there is an order -<j of that is constructive in subspace q. Using the same 
arguments as in Lemma |4j one can show that \P is mergeable in subspace q. 
That is the D-sequent (3X[F],a) -> A* holds where a is the union of q and 



a* (the latter being the axis of , L r ). By joining all such D-sequents on variables 
of H, one produces the mergence D-sequent (3X[F],a?) — > X 5 " □ 

Lemma 6. Let Q be a consistent set of D-sequents for an 3CNF formula 3X\F\. 
Let there exist a constructive multi-order on X . Let q be an assignment to 
variables of Vars(F) such that a < q where a is the axis of f2. Let v € X \ 
(Vars(q) U X Q ) be a blocked variable of F q . Then D-sequent (3X[F],g) — s- {v} 
holds where g is defined as follows. For every pair of clauses C", C" of F that 
can be resolved on variable v, g contains either 

• an assignment satisfying C" or C" or 

• all the assignments of r such that 

• a D-sequent (3X[F],r) {w} is in fl and 

• C or C" contains variable w 

Proof: Denote by & the subset of fi comprising of all D-sequents (3X[F], F)^ 
{w} such that w is in a {i>}-clause of F and r < g. From Lemma [5] it follows 
that D-sequent holds (3X[F],a 1 ') — >• X^ . Notice that variable w is blocked 
in the formula F g \ {F g ) x * . Then Proposition [i] entails that w is redundant 
in F g \ (F g ) xq . Since, by construction, g < a 1 ', then Lemma [i] implies that 
D-sequent (3X[F],g) — > X^ holds. Then from Proposition [4] it follows that 
the D-sequent (3X[F],g) —> X* U {w} holds. Finally, Lemma [2] implies that 
(3X[F],g) {w} holds too. 

Remark 3. In the proof of Lemma[6j we established the correctness of D-sequent 
F x *],g) -> {w} where W is the set of D-sequents (3X[F],r) -t {w} 
of Q such that r < g. Note that any D-sequent (3X[F \ F z ],g) — > {w} where 
<F C Z C Q holds too. The reason is that w remains blocked as long as the 
clauses containing variables of X^ are removed from F g □ 

Proposition 9. DDS is sound and complete. 

Proof: First, we show that DDS is complete. DDS builds a binary search tree 
and visits every node of this tree at most three times (when starting the left 
branch, when backtracking to start the right branch, when backtracking from 
the right branch). So DDS is complete. 

Now we prove that DDS is sound. DDS terminates in two cases. First, it 
terminates when an empty clause is derived, which means that F is unsatisfi- 
able. In this case, the formula G returned by DDS consists only of an empty 
clause. This result is correct because this clause is built by resolving clauses of 
F and resolution is sound. Second, DDS terminates after building a sequence 
of D-scqucnts [3X[F]^) ->• {x H }, ... ,(3X[F],0) -> {x lk } where , — , x-i^ are 
the variables forming X. As we show below, the D-sequents derived by DDS are 
correct and a constructive multi-order holds on the current set of redun- 
dant variables X where fi is the current set of active D-sequents. Then from 
Lemma[5]it follows that the D-sequent (3X^,0) — > X holds. This means that 
the formula G obtained by dropping the X-clauses from the CNF formula F 
returned by DDS is equivalent to 3X[F}. 



Now we use induction to prove that the D-sequents derived by DDS are 
correct and there exists a constructive multi-order for every set of active D- 
sequents. The base statement is that the D-sequents of an empty set are correct 
and there is a constructive multi-order on an empty set of D-sequents. Both 
these statements are vacuously true. 

The induction step is to show that if 

• the first n D-sequents derived by DDS are correct (denote these set of 
D-sequents as 77. 

• a constructive multi-order exists on the set X n of variable where £2 Q U is 
the current set of active D-sequents 

then 

• next D-sequent S is correct and 

• a constructive multi-order exists on the set of variable X u 

Due to Proposition^ one can view the D-sequents of 77U{S} as specified with 
respect to the current CNF formula F. Let us consider the following alternatives. 

• S is a D-sequent built for a blocked variable. The correctness of S follows 
from Lemma [6] and the induction hypothesis (that the D-sequents of 77 are 
correct). The fact that a constructive multi-order exists on the set of variables 

X^ u {'-'} follows from Remark [3] and the induction hypothesis. 

• S is the D-sequent due to appearance in the current formula a falsified clause 
C. In this case, S is trivially correct. S remains correct after the set of clauses 
F z is removed from F q where q is the current set of assignments and Z is 
any subset of X\ Vars(q). So a constructive multi-order exists on the set of 

variables X Q u i S } . 

• S is obtained by joining two existing D-sequents. The correctness of S fol- 
lows from Proposition [8] and the induction hypothesis. The existence of a 
constructive multi-order on the set of variables X u 

{S} 

can be shown 

as follows. Let S be equal to (3X[F],r) — > {w}. Let S be obtained from 
D-sequents So and Si by joining at variable v. Let So and Si be equal to 
(3X[F] 7 r ) — > {w} and (3X[F],ri) — > {w} respectively. We assume here 
that t*o and ri contain assignments (v — 0) and (v — 1) respectively. As- 
sume the contrary i.e. there is no constructive multi-order for X^ U {w}. 
This means that a D-sequent S' equal (3X[F \ F z ],r) — > {w} does not 
hold where Z is a subset of X n . Then S' does not hold either in subspace 
rU{(« = 0)} orrU{(w = l)}. Assume for clarity that S' does not hold in 
the former. Consider the following two cases. 

• (v = 0) is the right branch. Then So is currently active and there is no 
constructive multi-order for the variables of X s1 . This contradicts the 
induction hypothesis. 

• (v = 0) is the left branch. Then there was no constructive multi-order 
for the variables of X when So was active in the left branch. This 
contradicts the induction hypothesis □ 



Proposition of Section [6] 

Definition 24. We will refer to D-sequents derived due to appearance of an 



empty clause in formula F q (see Subsection 5.2) as clause D-sequents 



Proposition 10 (compositionality of DDS). Let T be the search tree built by 
DDS when solving the QE problem 3X[Fi A ... A F k ], Vars(Fi) n Vars(Fj) = 0, 
i 7^ j. Let Xi = X n Vars(Fi) and Yi — Vars(Fi) \ X. The size of T in the 
number of nodes is bounded by \ Vars(F)\ ■ (r)(Xi U Y±) + . . . + r)(Xh U Yfc)) where 
r)(Xi UYi) = 2 • 3l x i uy il . (jXi\ + 1), i = 1, . . . , k no matter how decision branching 
variables are chosen. 



Proof: Denote by Y the set of variables Vars(F) \ X. 

We prove this proposition for a slightly modified version of DDS . In the 
version of DDS shown in Figure [I] the D-sequents depending on the branching 
variable are discarded. The modification is to keep all derived D-sequents. (See 
the discussion in the first section of the Appendix.) This means that there is a 
set n where all derived D-sequents are stored. We assume that DDS does not 
derive the same D-sequent twice. That is if LI contains a D-sequent S equal to 
(3X[F],q) —> {x}, then the modified DDS declares {x} redundant as soon as 
S becomes active instead of deriving it again. 

Let P be a path of T and n(v) be a node of T that is on P. Here v is the 
branching variable selected in the node n by DDS. We will call n(v) a BCP 
node, if the variable v was selected due to its presence in a unit clause of F q . 
We will call P an essential path, if for every BCP node n(v) lying on P (if 
any) the latter corresponds to the right branch of n. That is the variable v is 
currently assigned the value satisfying the unit clause C of F q due to which v 
was picked. Recall that the first value assigned to v by DDS falsifies C. 

Let d denote the total number of nodes lying on essential paths. Notice that 
the number of all nodes of T is bounded by 2 • d. The reason is that a non- 
essential path contains a BCP node n(v) where v is assigned the value falsifying 
the unit clause due to which v was selected. So the last node of this path is the 
left child of node n(v). Thus the number of nodes lying only on non-essential 
paths is bounded by the number of BCP nodes of T. Since every BCP node lies 
on an essential path, the total number of nodes of T is bounded by 2 • d. 

Denote by N ess pat hs the total number of essential paths of T. Denote by 
N res _ci the total number of resolvent clauses generated by DDS . Denote by 
NDseqs the total number of D-sequents generated by DDS with the exception 
of clause D-sequents. 

We do the rest of the proof in two steps. First we show that N ess _ pat hs < 
Nres.ci + No_ seqs . Since a path of T cannot contain more than \X U Y\ nodes, 
this means that the total number of nodes of T is bounded by 2 • \X U Y\ ■ 
(Xres.d + N D _ seqs ). In the second step, we show that 2 • (N res _ ci + N D _ seqs ) < 
n{X 1 UY 1 ) + . . .+ V (X k UY k ) where n^UY) = 2-3^ uY *l -(|X 4 | + 1), i = 1, . . . , k. 

FIRST STEP: To prove that N ess pat y is < N res c i + No_ S eqs we show that every 
essential path of T corresponds to a new resolvent clause or a new D-sequent 
generated by DDS that is not a clause D-scquent. Let P be an essential path 



of T. Let v G X U Y be the first variable of P picked by DDS for branching. 
The very fact that v was selected means that some of the variables of X were 
not proved redundant in 3X[F] yet. Let us assume the contrary, that is DDS is 
able to finish P without generating a new clause or a new D-sequent that is not 
a clause D-scquent. This only possible if DDS can assign all free non-redundant 
variables of X without running into a conflict (in which case a new clause is 
generated) or producing a new blocked variable (in which case a new non-clause 
D-sequent is generated). 

Let x £ X be the last variable assigned by DDS on path P. That is every 
other variable of X is either assigned or proved redundant before making an 
assignment to x. Let q be the set of assignments on path P made by DDS before 
reaching the node n(x), and X' be the set of all redundant variables of X in F q . 
Since variables of Y are assigned before those of X, all non-detached variables 
of Y are assigned. Then the current formula, i.e., formula F q \ F q has only two 
kinds of clauses: 

• clauses depending only on detached variables of Y or 

• unit clauses that depend only on variable x. 

The two possibilities for the unit clauses depending on x are as follows. 

• F q \ F q contains both clauses x and x. Then, DDS generates a new clause. 
Contradiction. 

• F q \ F^ does not contain either x or x or both. Then x is blocked and 
DDS generates a new non-clause D-sequent. Contradiction. 

SECOND STEP: Notice that no clause produced by resolution can share vari- 
ables of two different subformulas Fi and Fj . This means that for every clause C 
produced by DDS, Vars(C) C (X{ U Yi) for some i. The total number of clauses 
depending on variables of X,UY t is $ X * UY ^. So N res _ cl < 3l XlUYl l + . . .+3\ x ^Y k \_ 
Now we show that N D _ seqs < \Xi\ ■ ^ XlUYl ^ + ... + \X k \- $ XkUYk \ and hence 
2 • (N res _ cl + N D _ seqs ) < rj(Xi UYi) + ... + ^(X k U Y k ). The idea is to prove 
that every non-clause D-sequent generated by DDS is limited to Fi, i.e., has 
the form (3X[F],g) -> {x} where Vars(g) C I, U K ; and x G X { . The total 
number of D-sequents limited to Fi is equal to |Xj| • 3' XiUY *'. (So the total 
number of D-sequents limited to Fi, i = 1, . . . , k is bounded by \Xi\ ■ 3\ x i uY u + 
... + \X k \ ■ 3l*feUY- fe |.) T he factor |X*| is the number of variables appearing on 
the right side of a D-sequent limited to Fj. The factor 3' XiLjyi ' specifies the total 
number of all possible assignments g. Recall that due to Proposition]?) D-sequent 
(3X[F],g) — > {x} is invariant to adding resolvent clauses to F. For that reason, 
we ignore the left side parameter F when counting the number of D-sequents 
limited to Fi. 

Now we prove that every non-clause D-sequent derived by DDS is limited 
to a formula Fi. We carry out this proof by induction. Our base statement is 
that D-sequents of an empty set are limited to Fi. It is vacuously true. As- 
sume that the non-clause D-scqucnts generated so far are limited to Fi and then 
show that this holds for the next non-clause D-sequent S. Let S be a D-sequent 
(3X[F],g) —> {x} generated for a blocked variable x € Xj. Such a D-sequent 



is built as described in Lemma [6j Then g consists of assignments satisfying 
{a:}-clauses of F or being the reason for their redundancy. Since clauses of dif- 
ferent subformulas cannot be resolved with each other, every {a:}-clause of F 
can only have variables of Fi where x € Vars(Fi). By the induction hypothesis 
every non-clause D-sequent is limited to some subformula. On the other hand, 
DDS looks for blocked variables when F q has no empty clause. So, at the time 
S is derived, no variable of F q can be redundant due to a clause D-sequent. This 
means that if a variable x* of an {cc}-clause of F is redundant due to D-sequent 
(3X[F],g*) -> {x*} then Vars{g*) C Vars(F, t ). So Vars(g) C Vars{F % ). 

Now consider the case when S is obtained by joining two D-sequents S' , S". 
Let us consider the following three possibilities 

• Neither S' nor S" is a clause D-sequent. Then according to the induction 
hypothesis they should be limited to Fi. (They cannot be limited to different 
subformulas because then they cannot be joined due to absence of a common 



variable.) Then due to Definition 15 the D-sequent produced by joining S' 
and S" is also limited to Fj. 

Either S' or S" is a clause D-sequent. Let us assume for the sake of clarity 
that this is the D-sequent S' . This means that S' has the form (3X[F],g) — s- {x} 
where g is the minimum set of assignments falsifying a clause C of F and 
x € X \ Vars(g). Since for any resolvent C of F, Vars(C) C Vars(Fi), then 
Vars(g) C Vars(Fi). By the induction hypothesis, S" is limited to Fj. Since 
S' and S" have at least one common variable (at which they are joined), 
j has to be equal to i. So x G Xj. Then joining 5' with S" produces a 
D-sequent that is also limited to Fj. 

Both S' and S" are clause D-sequents. We do not care about this situation 
because by joining S' and S" one obtains a clause D-sequent □ 



